I've had a hellish weekend after one of our VPN sites in Shanghai went down, I'll call it site A. Site A has a standard internet circuit provided by China Unicom and was originally set up with an IPSEC VPN to our Hong Kong data centre where it could utilize our global MPLS. We had latency problems with that VPN, so instead set up a new tunnel to another site in Shanghai, site B, which had its own MPLS feed and that worked great up until yesterday.
The WAN address we use at site A ends in .203, but since yesterday we were seeing ESP discards coming in from .205. I tried moving the VPN back to our DC in Hong Kong but were seeing ESP discards from .205 in the logs on the ASA at our Hong Kong DC. I turned NAT-T on, which didn't resolve the problem, but had this log entry on Site A:
Automatic NAT Detection Status: Remote end is NOT behind a NAT device **This end IS behind a NAT device**
We hooked a laptop directly up to the ISP router and when doing a whatsmyip, found that it was different to the public IP we had statically configured on the laptop. Even if we changed the IP on the laptop to .205, it was NAT'd again to something else in the /29 they provided us.
China Unicom insist they are not NATing us, but we've tried an ASA and a direct laptop and are seeing a different IP everytime. Because of this we can't VPN anywhere, and this site is completely cut off from our MPLS.
Any suggestions on what we can do would be very helpful...
No comments:
Post a Comment